{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25807", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-15T16:34:48.772Z", "datePublished": "2023-02-28T15:05:33.087Z", "dateUpdated": "2025-03-06T16:26:01.200Z"}, "containers": {"cna": {"title": "DataEase dashboard has a stored XSS vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf"}, {"name": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 1.18.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-28T15:05:33.087Z"}, "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization and analysis tool. When saving a dashboard on the DataEase platform saved data can be modified and store malicious code. This vulnerability can lead to the execution of malicious code stored by the attacker on the server side when the user accesses the dashboard. The vulnerability has been fixed in version 1.18.3.\n"}], "source": {"advisory": "GHSA-xj3h-3wmw-j5vf", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:32:12.744Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf"}, {"name": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-06T16:24:56.480800Z", "id": "CVE-2023-25807", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T16:26:01.200Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49", "name": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:32:12.744Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-25807", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-06T16:24:56.480800Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T16:25:50.526Z"}}], "cna": {"title": "DataEase dashboard has a stored XSS vulnerability", "source": {"advisory": "GHSA-xj3h-3wmw-j5vf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 1.18.3"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49", "name": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization and analysis tool. When saving a dashboard on the DataEase platform saved data can be modified and store malicious code. This vulnerability can lead to the execution of malicious code stored by the attacker on the server side when the user accesses the dashboard. The vulnerability has been fixed in version 1.18.3.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-28T15:05:33.087Z"}}}, "cveMetadata": {"cveId": "CVE-2023-25807", "state": "PUBLISHED", "dateUpdated": "2025-03-06T16:26:01.200Z", "dateReserved": "2023-02-15T16:34:48.772Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-02-28T15:05:33.087Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F420A41-D962-4B89-A618-07F61FDDAF3A", "versionEndExcluding": "1.18.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization and analysis tool. When saving a dashboard on the DataEase platform saved data can be modified and store malicious code. This vulnerability can lead to the execution of malicious code stored by the attacker on the server side when the user accesses the dashboard. The vulnerability has been fixed in version 1.18.3.\n"}], "id": "CVE-2023-25807", "lastModified": "2024-11-21T07:50:14.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-28T16:15:09.353", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-xj3h-3wmw-j5vf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}